Simplifying Drupal Security: Protecting Your Clients and Your Company

Have you had “the talk” with your clients? You know, the one where you tell them that if they are going to be doing it, they need to be safe. If they are going to collect private information or integrate external services like PayPal or MailChimp, it is time to sit down and have a discussion—about security. A company’s website is a portal to customer information, and if hacked, can lead to a very public breach resulting in loss of customers, fines, and brand damage.

Businesses large and small—public and private—have security needs. In fact, it is often a surprise to small and medium sized businesses that they are actually considered a greater target than large enterprises. Why? Because hackers know that SMBs are an easy target. Symantec recently published a report confirming that three out of five cyber-attacks target small and midsize companies. SMBs typically have weaker security controls and are not taking a defense in depth approach to data security—often because they are just not aware of security best practices—not because of price.

As Chris Teitzel, Drew Gorton, and myself discussed at DrupalCon New Orleans (video below), by having the security conversation and implementing proper security controls, Drupal agencies can not only better protect their clients, but also gain additional revenue and set themselves apart.

But My Clients Aren’t Asking Me for Security

It may be true that your clients aren’t asking specifically for security, but they are paying you for it. Your clients expect site security, just as they expect you to anticipate and address their needs in other areas of site development. Further, by not implementing appropriate security controls, if there is a breach, you can be liable.

One example: In an effort to shift financial responsibility for a data breach at a community bank, Travelers Casualty and Surety Co. of America (insurer) filed suit against the bank's web designer, claiming its negligence and “substandard” maintenance of a website set the stage for a breach. As an agency, you can and should reduce your risk by implementing proper security for your clients, even if it means taking money out of your bottom line.

As many agencies that we interact with can attest, adding security as a line-item when responding to RFPs helped them win bids. It not only ensured their prospective clients that security was top of mind, but also instilled confidence in the competency of their agency.

Starting the Security Conversation

With the importance of website security established, how do you start the security conversation with your clients? Are you asking the right questions during the discovery process? Do you know what questions to ask? With data breaches making headlines daily, security is top of mind and this conversation is more pertinent—and natural—than ever.

For example, the importance of key management is now resonating with the general public, thanks to Apple. The company is in the process of handing iCloud encryption keys to account holders so that no matter how many government subpoenas it receives, Apple has no way to decrypt user data. With (potential) clients hearing these stories, security becomes an easier sell.

As an agency, there are a few key Drupal security concepts that you need to understand before talking with your clients:

·      What is personally identifiable information (PII)?

·      What compliance regulations your clients fall under (PCI DSS, HIPAA, FERPA, FISMA, etc.)

·      There is no security silver bullet—you need to take a defense in depth approach.

We’ll go into these points in a little more detail below.

Questions to Ask Your Clients

Security is not something that is on or off, but rather is on a continuum. Each site is unique, and depending on what your clients are going to do with theirs determines the layers of security needed. By fully understanding their business and site goals, you’ll avoid last minute surprises during the build. No one likes adding expense and time to the project (surprise!) and by asking the right questions upfront, you can save a lot of headache down the road. Some of the first questions during the discovery phase should be:

·      What information is going to be collected?

·      Who will have logins?

·      Anything being sold? Any donations?

·      Are you under any compliance requirements?

Additionally, if you hear any of the keywords below, take mental note.  The slide on the security scale just went from less to more.

·      eCommerce

·      Integration

·      API

·      Registered users

·      Paywall

·      Forms

By asking the right questions and listening to their responses (as well as reading between the lines), you will be able to confidently put the proper security controls in place from the beginning.

We had the Talk. Now What?

Now that the talk is over and your client is impressed with the attention to detail your agency gives—you provide business value and know that a site is more than code—it is time to get to work. First, let’s start with encrypting sensitive data:

Wait. I Should Encrypt That?

You may not be collecting credit card or social security numbers, but you still need to think about encryption. Why? Because PII extends beyond what the average Drupal developer might consider sensitive.

Generally speaking, PII is any information that alone, or when combined with other information, can identify a unique, individual person. PII goes beyond just a credit card or social security number.  For example, the following can be considered PII:

·      First name

·      Last name

·      Email

·      Social media info

·      Phone number

Pause for a moment and consider how many websites you have built that collect this type of information. As you will quickly realize, even the most basic marketing websites collect PII that should be encrypted, and when you throw data security compliance requirements into the mix, the list grows longer. The Drupal community has built a great suite of modules to help users protect private data (Encrypt, Field Encryption, Encrypted Files, etc.).

Integrated Services?

If your client’s site gets hacked, so does access to the integrated services. For example, if your Amazon S3 API key were in your stolen database, hackers would have access to your client’s entire offsite S3 storage. Consider how detrimental it would be for a client to find out that a hacker has gained access to their PayPal account—after all, they were using PayPal because they didn’t want to deal with the security risks and liability of hosting their own payment processing. It is essential to protect these API keys in order to not put you or your clients at risk.

The Key is Under the Welcome Mat

Unfortunately, within Drupal, encryption and API keys are stored in similar unsecure locations— in the Drupal database, settings file, or in a protected file on the server. Once a hacker compromises a site, they can then take the encryption keys and have access to all the “encrypted” sensitive data. Fortunately, with the recent introduction of the Key module, users can now securely manage all keys (encryption and API) by storing and managing them outside of the Drupal installation with key management systems such as Townsend Security’s Alliance Key Manager or Cellar Door Media’s Lockr.  For more on private API keys, encryption keys, and key management—check out my last post “To Key or Not to Key”.

Evaluating Hosting Platforms

Just say no to shared hosting. As Drew Gorton says, “If your site is worth more than $2.95, pay more than $2.95 on hosting. You get what you pay for.”

When you share the same server as an unsecure site, it can bring you down when it is inevitably hacked. When choosing a hosting provider, ask about their infrastructure, security, and how they have dealt with security problems in the past. How did they respond to Drupalgeddon? Heartbleed? If they don’t have an impressive answer, you should see a red flag.

It is also important to note, hosting providers can say they are compliant with regulations like PCI DSS, etc, but it doesn't mean that you are PCI compliant and have nothing to worry about. Your hosting provider’s certifications apply to them. What you do within that environment defines whether you are compliant or not.

At the End of the Day

Security is a growing niche and a great way to build a name for your agency, helping you win more and larger projects. Security builds trust, and clients who trust you are clients who refer you. By protecting your clients, you are protecting your business.

It is important to remember that there is no security silver bullet and you should take a defense in depth approach to protecting your clients. While encryption and key management were mentioned as ways to protect sensitive data, it is also important to not overlook enforcing strong passwords, using only contributed modules, and keeping Drupal updated, as well as deploying technologies like two factor authentication.

Want to learn more? Check out the blog I wrote on my session from DrupalCon Los Angeles: How Secure Is Your Data in Drupal? (And 5 Essential Security Tips)

[Related] Pantheon Website Security Services

Topics Drupal, Ecommerce, Security